Security tokens are created in the Security Token Service via the TokenProvider interface. It has three methods:
-
boolean canHandleToken(String tokenType)- Whether this TokenProvider implementation can provide a token of the given type -
boolean canHandleToken(String tokenType, String realm)- Whether this TokenProvider implementation can provide a token of the given type, in the given realm -
TokenProviderResponse createToken(TokenProviderParameters tokenParameters)- Create a token using the given parameters
A client can request a security token from the STS by either invoking the issue operation and supplying a desired token type, or else calling the validate operation and passing a (different) token type (token transformation). Assuming that the client request is authenticated and well-formed, the STS will iterate through a list of TokenProvider implementations to see if they can "handle" the received token type. If they can, then the implementation is used to create a security token, which is returned to the client. The second canHandleToken method also requires a realm parameter.
To support the issuing of a particular token type in an STS deployment, it is necessary to specify a TokenProvider implementation that can handle that token type. The STS currently ships with two TokenProvider implementations, one for generating SecurityContextTokens, and one for generating SAML Assertions. Before looking at these two implementations, let's take a look at the createToken operation in more detail. This method takes a TokenProviderParameters instance.